WinHex & X-Ways Forensics Newsletter Archive

This mailing is to announce the release of another update with many important improvements, v20.6. The official release date was the 24th of July.

Customers please go to https://www.x-ways.net/winhex/license.html as always for the latest download instructions including current log-in data, details about their licenses and potentially upgrade/renewal offers. Please do not ask us about the download password. Your organization has access to it already if eligible.

Please be reminded that if you are interested in receiving information about service releases at the moment when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you could at least use the last service release of that version.

Upcoming Online Live Training

Please sign up for our training notifications here if you would like to be kept up to date on future classes.

What's new in v20.6?
(please note that most changes affect X-Ways Forensics only)

Picture Analysis

• The pixel filter dialog window was redesigned for improved understanding of how it works.

• There is now a small button on the right-hand side of the "Picture analysis and processing" dialog window. Clicking that button will show user interface controls for usage of PhotoDNA and Excire PhotoAI, even if the functionality is unavailable, to give you an idea of how these modules can be used. PhotoDNA is provided for free to users in law enforcement agencies. Excire PhotoAI is commercially available and described here.

• Ability to analyze pictures in HEIC format with Excire PhotoAI.

• Ability to choose the minimum resolution of pictures that should be analyzed with Excire PhotoAI. The previous minimum was 224x224 pixels. If you are interested only in high quality digital photos, you can save time by increasing this minimum a lot. If you are also interested in low resolution photos, including thumbnails (for example because you think thumbnails are sometimes all you can find of incriminating photos), you can use a lower minimum. The absolute minimum accepted is 48x48 pixels, but it is not recommended to go much lower than 80x80 as detection errors will be more frequent if the picture quality is very bad.

• Pictures can now be automatically categorized as irrelevant or notable using Excire PhotoAI. In the extensive hierarchy of identifiable objects you can select individual objects or entire subtrees that render a picture irrelevant from your point of view, such as any kinds of animals, plants, sports, musical instruments etc. Automatically categorizing pictures as irrelevant based on detected image content is subject to two extra conditions: A certain minimum confidence and a certain minimum resolution in KP.

• To reduce the number of report tables associations generated using Excire PhotoAI, within irrelevant subtrees you can choose to not output findings at a lower level. If for example the subtree "Animal" is marked as irrelevant, then if a photo shows an identifiable butterfly, you won't get the report tables "Butterfly" and "Insect", but only "Animal". (Optionally you can get to see in the Comment column which exact animal was identified.)

• You can define what renders a picture notable for you, such as nudity ("act"), vehicles, children, text etc. "Notable" always overrides "irrelevant" when in doubt, if for example dogs are marked as important in a particular case, but animals in general are still marked as irrelevant. The next release of Excire PhotoAI might add detection of guns, powdery substances, pills and pornography.

• Logical AND combinations are supported when categorizing photos as notable based on content detected by Excire PhotoAI. To add a new AND combination, you select the first object name, click the AND button, then select the second object name, and click the AND button again. If you have misclicked, exit the dialog window via Cancel OR simply remove the checkmark in front of your accidental AND combination so that it will not be remembered when you click OK. Two AND combinations are predefined in fresh installations that are meant to assist in searches for child pornography. You can combine any items in the tree, not only those from the bottom-most level that are represented by file icons. Irrelevant and notable detections are defined in these two text files: "Excire Irrelevant.txt" and "Excire Notable.txt".

• Option to conveniently access the keyword list of Excire PhotoAI and see the translation of internal object names to friendly designations in English, German, Spanish, Italian or French (depending on the current user interface language), by clicking the Edit button in the categorization window for Excire. For example, photos identified as act photography can be described as "nudity" instead of "act", if you simply change the word after the comma. You may need to restart X-Ways Forensics to see the effect.

Picture Display

• The internal graphics display library was updated.

• Better support for some PNG pictures with transparency.

• Changed the way thumbnails are created for the case report, for file types supported by the internal graphics display library. Among other file types this affects Photoshop PSD, which apparently cannot be properly rendered by the 64-bit edition of the viewer component, but by the internal graphics display library.

• Applying Exif orientation metadata in Preview mode, for the View command, in the gallery, for OCR and for Excire PhotoAI was partially revised and is now optional and controlled by a 3-state checkbox. If fully checked, the Exif orientation is strictly applied. If half checked (the previous behavior and still the default), it is not applied if X-Ways Forensics thinks it is most likely correct to not (further) rotate or flip the picture.

• Improved Exif orientation compliance in the gallery. In particular, thumbnails and low-resolution alternatives embedded in JPEG files now inherit the Exif orientation from their parent files.

Metadata Extraction

• The Relevance scale for PNG files is now comparable to that of JPEG files, so that sorting files of both types by relevance gives a more plausible result now.

• The compression level of PNG files is now output in the internal metadata in Details mode. It also affects the relevance computation. The conditions "trailing data" and "incomplete" (also in Details mode) are new for PNG files.

• Fixed a problem with false detection of a scanner as the generating device of PNG files.

• If the IFD GPS field in Exif metadata is available, but empty, or if it contains unvalid coordinates, this is an irregular situation, different from the IFD GPS not being present at all, and often means that the GPS data have been removed retroactively. It is now reflected as "GPS format: NaN", where NaN means "not a number".

• Fixed a rare situation in which a geolocation was not output previously.

• Generator signature concept for JPEG pictures revised. The number of error rates was reduced to less than 0.1%, by avoiding hash collisions (one signature matching two devices). This may be noticeable when dealing with Samsung Galaxy devices.

• The Summary table in Details mode for JPEG files now specifies the confidence with which the generating device type was identified.

• Users may now specify a minimum confidence in % that they require for the identification of generating device types of JPEG and PNG pictures.

• Mention of AMPF (presumably for "Apple Multi Picture Format") in the JFIF header in Details mode.

Directory Browser

• Improved readability of tooltips of cells in the directory browser that represent very long text without line breaks, e.g. comments.

• The number of characters extracted from a file (be it via text decoding or OCR) is now shown in the Description column (if the box "other" is checked in the Notation options of the Description column), and with the filter you can require a certain minimum number of characters (like 5 or 10, 255 at most), for example to avoid pictures in which a few characters have been recognized merely erroneously, i.e. pictures that not actually do contain text.

• Directory browser option to display the start offset of the data of a file in the First Sector column instead of the number of the first sector. This is more precise information and available for most files. The title of the column will be changed accordingly in most places of the user interface. The offset can optionally be made a physical offset (from the point of view of the physical disk/image if shown in a partition) just like the sector number can be made a physical sector number. The filter of that column expects numbers of the same meaning as shown in the directory browser (i.e. either offsets or sectors, either logical or physical), and in the same notation (decimal for sector numbers, decimal or hexadecimal for offsets).

• The directory browser context menu command "Find duplicates in list" can now also identify duplicates based on exact identical start offsets instead of just identical start sectors if the "First sector" column is populated with offsets.

• The Hash Category column, which shows which files are considered irrelevant or notable, has been renamed "Categorization". Hash database matching is just one method to populate this column. Files can also be designated as irrelevant or notable by X-Tensions, by adopting data from evidence file containers, now in v20.6 also simply using the directory browser context menu, and more.

• The former "Category" column is now named "Type Category", analogous to "Type Status" and "Type Description".

Usability

• You can now rename any directory browser column to your liking, for example in order to keep continuity in the user interface between earlier and future versions, or for compatibility in data transfers (e.g. Export List command), or because a certain column title has not been translated to your preferred Latin-based user interface language and you would like to see your own translation of the English title, or because you prefer to see "Attributes" instead of the abbreviation "Attr.", etc. In the dialog window with the directory browser options you can simply right-click a column title for that, and will then be given the opportunity to replace the title with your own wording.

• In fact many more text fragments (strings) in the user interface are now customizable, through this menu command: Help | Setup | UI Text Adjustments. You would need to identify the exact standard text fragment to replace and provide your own version of it. If the text that you are looking for is not found and you don't know exactly how it is stored internally, you can search for it in the file "language.dat". Your customizations are stored in the file "UI Text Adjustments.txt" and can be shared with other users. The file can presumably be used in future versions as well, as long as the original text fragments remain the same. It simply consists of one adjustment per line, with the original text first and the replacement second, delimited by a tab character (meaning those few original texts that already contain a tab character cannot be adjusted). You may also edit that file manually. Please note that the translations of non-Latin languages are available as simple text files and can thus be changed in those files much more directly.

• Ability to automatically resume certain operations after a crash (an involuntary program termination), without any user intervention. This is a new setting in Options | Security. The currently supported operations are the stages "file header signature search" and "processing of individual files" of volume snapshot refinement when invoked from the main menu or the command line or by adding evidence objects to a case. Following a crash, these operations will be resumed at a point that depends on when the volume snapshot was last saved. (That in turn depends on the auto-save interval in the case properties because whenever the case is saved, the volume snapshots of all open evidence objects are saved as well. You can also save the case manually while volume snapshots are being refined.) If it is not clear which particular file has triggered a crash because you were running the operation with additional threads, then the operation will be resumed first with no additional threads. With some luck, that will not trigger the crash again. If it does, the operation is resumed once more. Once the exact file is identified, it will be skipped automatically. In case of a crash during the file header signature search, the sector that triggered the creation of a problematic file will be skipped.

• Only in Preview and Beta releases, you can simulate crashes if you wish to observe, test, or demonstrate this new automatic work-around, for example because you wish to benefit from it when running X-Ways Forensics more or less automatically with command line parameters, and need to react to the situation where one instance of X-Ways Forensics disappears and is immediately replaced by another instance that you didn't start yourself. For the simulation, you provide the name of a file that you want to trigger a crash in the supported operations. The filename should be rather unique and target ideally just one file that you know is in the initial volume snapshot or that you expect to be added to the refined volume snapshot. It's case-sensitive. Note that if you have X-Ways Forensics assign names based on incrementing numbers to carved files, and you make it simulate a crash with a carved file whose name is expected to be 012345.jpg, then even if X-Ways Forensics successfully learns to avoid the sector where that file is found in the file header signature search, the next carved file after that might be named 012345.jpg as well (depending on the file type), triggering yet another crash. Unique names of carved files are those derived from the intelligent naming option (like "Canon DIGITAL IXUS 950 IS 2007-07-01 12:01:46.jpg") or from the option to name files based on start sectors. To simulate a random, non-repeatable crash, you can simply terminate X-Ways Forensics with the Windows Task Manager. v20.6 Beta 5 will remain available for a few weeks in case you need this feature.

• The "Uncover embedded data in various file types" functionality now takes extra precautions not to produce duplicates of files that were already carved by the file header signature search. More precisely, its output will replace corresponding carved files in the volume snapshot. The internal IDs of the carved files will remain the same, but additional metadata may become available (such as path/representation as a child object of the parent file, presumed original filename, more correct file size etc.). With the usual settings, this affects a considerable number of sector-aligned files, from example in the Chrome browser cache.

• Makes a note in the report of how report table items are sorted.

• Reminds users of the paths where hash databases are stored when managing those hash databases.

• The more complex version of the dialog window that allows you to manage report tables and report table association now also has a button to remove associations with the selected report tables.

User Interface

• Ability to create two copies of an image file when imaging from the command line. The path of the second copy, if desired, may be appended after the path of the first copy, delimited by a forward slash. Example: "|e01|Z:\First Copy.e01/V:\Second Copy.e01|Image description|Examiner name".

• RVS:~ in the command line refines the volume snapshots of all evidence objects of a case, while RVS:~+ now refines the volume snapshots of only newly added evidence objects (added since the case was opened).

• The user interface now shows improved instructions for the reconstruction of certain Linux MD RAID variants.

• The settings of the file header signature search are now accessible from within the refine volume snapshot dialog window via a "..." button, just like all the other subsettings, and like most of them are usually now shown only on demand.

File Type Support

• New option to accelerate various operations such as volume snapshot refinement, logical searches, and especially the optional dynamic context preview rendering around search hits in the search hit list, by keeping more decompressed contents of file archives in the volume snapshot cache. This option can be found in Options | Volume Snapshot. It generally accelerates opening files in archives again after the first time, especially nested archives.
  
  The volume snapshot cache could become very large that way. It can be discarded optionally whenever closing the data window if you like (useful if you are done dealing with that evidence object for the moment, or done with the entire case), and that is a case-specific setting in the case properties. Once discarded, files can get cached again afterwards at any time if/when they are opened again, if the option for that is active. If the box for caching is half checked, that means only nested archives are cached, similar to how compressed TAR archives were in previous versions.

• Clicking files in non-nested archives of the type zip in the directory browser in Partition/Volume mode now causes jumps directly to the respective zip record. More precisely to the filename part of that record, to make the contained file better distinguishable from its parent (also in terms of the 1st sector/Offset column). The actual start of the record is already sufficiently highlighted by the automatic signature recognition.

Searching

• Now filters out leading white spaces resulting from OCR text recognition.

• A new option in Options | Viewer Programs makes X-Ways Forensics ignore OCR-derived text if it does not contain at least x contiguous useful characters. Such OCR results will not be stored/output/copied/indexed/searched. This is beneficial if you apply OCR to unknown/random/ordinary pictures (i.e. not known textual data), to reduce the number of files that later will (misleadingly) respond to the Description filter for files with OCR-derived text or for which child objects are (unnecessarily) created by the "Copy: Extracted Text" function etc. A "useful" character is defined here as a character with an ASCII/Unicode value of 0x30 or higher. That means whitespaces <=0x20 are not counted, and neither are the printable characters !=#$%&'()*+,-.& (0x21-0x2F range) because some of them are occasionally misdetected in random pixels. All real letters in any language count, and so do numbers ("0" through "9").

• Logical searches remember if OCR was applied to pictures unsuccessfully (meaning with no resulting text) so that subsequent searches with OCR enabled will quickly skip those files.

• Warns users about spaces at the end of search terms (e.g. resulting from copy & paste).

File System Support

• Improved representation of HFS+ file systems with redundant inactive catalog entries: Duplicate entries in the Catalog (one inactive and one active) for the same file or directory (same ID, same name) are apparently created under Linux, under certain circumstances. In newly taken volume snapshots now usually only the active one will be included.

• HFS+: If an inactive Catalog entry and an active entry was found for the same directory (same ID, same name) and both were included in the volume snapshot, in newly taken volume snapshots the content of that directory will be shown for the existing directory, and not randomly in one of the two.

• Option to restrict the search for NTFS FILE records (part of the particularly thorough file system data structure search) to the currently defined block. (If no block is defined, the search will be carried out in all sectors of the volume as usually.)

• The kind of data structure to be found at the designated file system offset is now printed right in the "File system offset" column, for files and directories in NTFS.

• Option to define a fallback code page for Ext* file systems in the case properties, or even enforce a non-standard code page, by half-checking or fully checking the box next to the second case-specific code page in the case properties. That code page will be used to decode filenames and directory names that are not encoded in UTF-8 (the Linux default), which may be the case in some legacy systems, or other purpose-built environments where encodings other than UTF-8 were specified.

Miscellaneous

• The "Event Log Events.txt" config file now accepts a line beginning (1st column position) with a semicolon to signify a comment line. Obviously this can be used either to remove lines from parsing or to add comments to particular sections. The configuration file now accepts an optional fourth column that can be used to add a plain text comment to the Event's Description column.

• "Event Log Events.txt" now contains some explanations as comments and has an example of a comment that is taken over into the event description in the event list.

• Exporting and importing selected report tables to/from text files now include the descriptions in addition to just the report table names.

• The list of sectors to omit during the file header signature search can now comprise 16 sector numbers per evidence object instead of just 8.

• Option to automatically categorize FuzZyDoc matching documents as notable.

• Unicode filename support in the "Wipe Securely" function.

• X-Tension API: The XWF_OutputMessage() function now accepts the flag 0x8, which directs the message to the Output window, as opposed to the Messages window, where users may want to select and copy text and where no [XT] prefix is inserted to distinguish between internal messages and messages from X-Tensions.

• The program help and the user manual were updated.

• Many minor improvements.

What is planned for the next release of Excire PhotoAI?

• Identification of the following objects/content in photos: guns, powdery substances, pills, pornography.

Changes of service releases of 20.5

• SR-1: The table of generating devices was updated.

• SR-1: Some new video generator signatures.

• SR-1: Some more format variants added for the device type "Video publishing".

• SR-1: Structure types are now computed for the file types XLS, WEBP, and WAV.

• SR-1: More formats supported for filename analysis.

• SR-1: Keyboard shortcut assignments in the report table association dialog did not always work in v20.5. That was fixed.

• SR-2: Improved Unicode support for EVTX processing.

• SR-2: The definitions in "Event Log Events.txt" were not applied completely when processing .evtx event logs since v20.4 SR-6. That was fixed.

• SR-2: Fixed unintended dependency of the alternative e-mail presentation in the case report on the setting in Options | Viewer Programs.

• SR-2: Originally WofCompressed files in evidence file containers could not be opened for reading. That was fixed.

• SR-2: The particularly thorough file system data structure search in NTFS now skips some volume areas that could only result in unnecessary duplicate findings, and grouping orphaned files now always happens in virtual directories that have a connection to the root directory via the virtual "Path unknown" directory.

• SR-2: Fixed some report table management functions for the new optional report table listing in alphabetical order.

• SR-2: Clarified supported file types in online Excire product description. Clarified supported file types for face definitions in marker-help.txt in the Excire package. Face marking now accepts supported picture files with any filename extension or without filename extension.

• SR-3: The directory browser context menu command to copy extracted text to various output channels had encoding issues with some settings. That was fixed.

• SR-3: The alternative e-mail preview did not present Date and Recipient fields in some rare cases. That was fixed.

• SR-3: Fixed occasional inability to preview compressed Prefetch files in v20.5.

• SR-3: Fixed sorting partitions by size in the directory browser.

• SR-3: Fixed a user interface error that could occur in some installations in v20.5 SR-2.

• SR-4: Some minor improvements and fixes.

Become a certified user of X-Ways Forensics
Become an X-PERT (X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.

Thank you for your attention! We hope to see you soon somewhere at https://www.x-ways.net or on our Facebook page. You may also follow us on Twitter. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.

This mailing is to announce the release of another update with important improvements, v20.5, and a 3rd party module for X-Ways Forensics and X-Ways Investigator.

Customers please go to https://www.x-ways.net/winhex/license.html as always for the latest download instructions including current log-in data, details about their licenses and potentially upgrade/renewal offers. Please do not ask us about the download password. Your organization has access to it already if eligible.

Please be reminded that if you are interested in receiving information about service releases when they become available, you can find those in the Announcement section of the forum and (with active access to updates) can subscribe to them, too, by creating a forum profile. Please note that if you wish or need to stick with an older version for a while, you should at least use the last service release of that version.

Upcoming Online Live Training

Please sign up for our training notifications here if you would like to be kept up to date on future classes.

Excire: Photo Analysis with Artificial Intelligence

Excire for X-Ways Forensics is a separately available product based on technology developed by Pattern Recognition Company GmbH, a German AI company.

• It automatically analyzes photos and identifies image content (objects like buildings, animals, plants, beaches, mountains, people, adults, babies, faces, eyes, beards, naked bodies, text, ...) as well as color themes and photo properties, which are all described as keywords. You can focus on photos with particular relevant keywords (combined with AND or OR) or filter out photos with irrelevant keywords.

• It allows you to find photos that are “similar” from the perspective of an artificial intelligence to a collection of typical relevant photos from earlier cases or other photos that you provide.

• It allows you to find faces of particular people in photos of new cases.

Of great benefit for forensic investigators is that Excire works completely offline. Everything happens on your own machine. You don't need to trust any cloud service to which you would have to upload photos. No Internet connection is required*. That is just like you know it from X-Ways Forensics. *An Internet connection is required once when you acquire your licenses, and for that you could use a different computer. An Internet connection is also required when using trial licenses.

Owners of licenses for X-Ways Forensics with active access to updates (not licenses for educational use) can order Excire for X-Ways Forensics for those licenses with a 25% discount. A coupon code is provided in license status messages (from https://www.x-ways.net/winhex/license.html). This offer is valid only for orders placed by April 24, 2022. Prices and an order form can be found here. Technical details here.

What's new in v20.5?
(please note that most changes affect X-Ways Forensics only)

Picture Analysis

• An interface for Excire (see above) is now built into X-Ways Forensics and X-Ways Investigator. The overall integration in X-Ways Forensics is seamless. You use the same operations as always (volume snapshot refinement) and the same filters that you already know (for report table associations or comments or metadata), and the results are stored in the volume snapshot or in evidence file containers. You can assign special cell colors in the directory browser to photos with keywords that are of particular interest to you. Keywords that describe photos are currently available in these languages: English, German, French, Spanish and Italian.

• When computing PhotoDNA hash values and storing the hashes for deduplication and fast re-matching, X-Ways Forensics now also automatically compares embedded thumbnails to their parent files. If the difference is noticable, that will be brought to the user's attention with two report tables, "Thumbnail discrepancy" and "Thumbnail notable (data corrupt/incomplete)", where the latter means that there is a difference most likely just because the parent file is corrupt or incomplete. (The thumbnail, which requires little storage space and is located near the start of the file, could be unaffected and therefore helpful.) The former could indicate that someone has retroactively altered /redacted the full resolution picture and left the embedded thumbnail as it was.

File Format Support

• X-Ways Forensics from now on distinguishes between 4 instead of 3 possible file format consistency states: unknown, OK, irregular and corrupt. Important for the Type status filter settings.

• Improved PNG screenshot identification. In particular, a new Exif format is supported that is used mainly for Android screenshots. This allows to verify whether such Android screenshots are original.

• Additional generator signatures defined.

• Support for new Exif tags concerning composite images and time zones.

• Revised recognition of camera original pictures, now with a lower false negative rate, especially for Xiaomi smartphones.

• Further revised generating device identification (esp. smartphones, esp. all Samsung smartphones) with around 34,000 definitions and two new iOS release identifications.

• Evaluates camera debug information in the Application Marker 4 for Samsung smartphones such as camera serial number, timestamp of the last firmware update, and a 2-letter country code. This may enable the examiner to associate a photo with the exact device that took it.

• Provides the last printing date and the internal last modification date of OpenOffice documents as events.

• Revised and improved alternative .eml preview, which is important also for the case report option "Alternative .eml presentation directly in browser".

• Ability to process carved compressed PF prefetch files.

File System Support

• Supports new style of reparse point text of Windows 11.

• A renamed/moved file in a volume snapshot for a FAT file system that still exists under a different name or in a different directory was handled inconsistently before. Now it is read exactly like its existing counterpart, i.e. following cluster chains as defined in the file allocation table, regardless of the state of the "Deleted files skip used clusters" setting, resulting in identical hash values, duplicate search hits, etc.

Platform Support

• Recognizes Windows 11 as a platform and was confirmed to run on Windows 11 practically as well as on Windows 10.

• Now executable again under Windows XP (with limitations).

Data Acquisition

• New command "Capture Processes" in the Tools menu in X-Ways Forensics that allows to acquire all data in the memory of running processes on a live system contiguously (i.e. pages in the order as allocated by the process). The creation times of processes can be seen as the creation timestamps of the memory dumps. Pages marked as containing executable code (PAGE_EXECUTE* styles) are optional and if omitted will suitably reduce the amount of data if you are merely interested in keyword searches or carving and not malware analysis. Carving in the memory dumps (files shown as type "mem") can be performed by uncovering embedded data, one of the functions of volume snapshot refinement.

• This command can also produce a tab-delimited list of all top-level windows with their titles and corresponding processes plus (comma-delimited) the titles of their child windows. Screenshots of some of the top-level windows are taken and output automatically. If this functionality is used without administrator rights, only processes of the current user are covered, otherwise all processes.

• The output folder of "Capture Processes" is by default either a subdirectory of the case or - if no case is active - a subdirectory of the directory for images. It can be automatically explored in Windows File Explorer once the output is complete and/or added to the active case as a directory.

• The memory dumped by "Capture Processes" can also be useful on your own system if an application in which you type text (e.g. an e-mail client) suddenly freezes and you want to recover what you wrote.

• A filter is available for process dumping. You can use it like other file mask filters in X-Ways Forensics. For example "explorer.exe" will only dump memory and windows of the Windows File Explorer process. ":C*" will dump all processes except those whose names starts with the letter "C", i.e. for example not "Chrome.exe". The file mask is not case sensitive. Multiple file masks can be concatenated with semicolons. (However, the total length is limited.)

• Ability to interpret unencrypted evidence files in Ex01 format as partitioned physical media or volumes.

• Improved handling of hard disks that were partitioned and formatted as if they had a different sector size.

User Interface

• An up-to-date English language Tooltips.txt file is now included in the download. If you wish to see those tooltips for the controls (mostly checkboxes) in your dialog windows, please make sure that "Tooltips.txt" is activated in Options | General. A German-language Tooltips.txt is available from the resource download area for users of X-Ways Investigator and X-Ways Forensics. If you wish to share your translation to another language with other users, please send us your copy of the file so that we can put it there as well. Thank you.

• Report tables can now be alphabetically sorted in the dialog windows for filtering and for report table management. By default, they will be listed in the order in which they were created, as before.

• Report tables that were created by the application as hints for the user are now listed optionally, and they are now the only ones that are indented.

• New colors were defined for the various kinds of report tables (ordinary user-created, hints for the user, hash sets, search terms, duplication groups, ...), and the triangles in the Name cells that indicate the existence of report table associations for the file are now shown in the same colors. The display of those triangles is now optional, see Options | Notation.

• Registry Viewer: Ability to copy the value data as shown in the list view on the right-hand side. (In order to copy the value data in binary, select the value in the list view, move the registry viewer aside and copy the selected data from File mode.)

• Printing templates did not show formatted GUIDs correctly. That was fixed.

Directory Browser

• The rules of advanced sorting are now also applied to the Hash Set column.

• After matching hash values against the hash database, multiple matching hash sets for a given file are now listed within the cell in the same order as they are contained in the hash database, and not in a random order.

• Comments of evidence objects are now also shown in the Comments column in the Case Root window and can be edited from there. The description of evidence objects is now also shown in the Metadata column in the Case Root window.

• If a filter is active with a NOT setting, you are now reminded of that by a red funnel symbol.

• To remind the user that an OR combination of filters is active, the word "OR" is now displayed in larger letters and with pointing fingers in the caption line of the directory browser.

• Colored cells now have an optional color gradient. This can be enabled separately for each cell coloring condition. The exact rules to determine the background color of rows in the directory browser based on focus, selection, mouse hover status, dark mode and cell coloring have been generally revised.

• In conditional cell coloring, you now have the option to color the Name cell in addition to the original cell that the condition is based on. Useful if you wish to be visually alerted of the matching condition even if the triggering column is currently not visible, and if highlighting the entire line would be too much.

• The Notation settings now allow you to see some "internal" flags in the Description column if you wish. Those flags identify the status of a file in volume snapshot refinement.
  [Emb]: checked for embedded data to uncover
  [Arc]: file archive checked for content
  [Enc]: encryption test already performed
  [Ext]: e-mail or e-mail archive checked for extractable content
  [Met]: checked for internal metadata
  [Xtn]: created by an X-Tension.

Miscellaneous

• Applying X-Tensions to files in selected directories is now optional. (In case a particular X-Tension is useful when applied to directories only.)

• The "Mount as Drive Letter" functionality now comes with a new option named "Apply recursively" to present files from all subdirectories of the currently active evidence object or the selected directory in a flat list. This is useful if you wish to use an external program to view many of the files and don't wish to bother with directory navigation. When using this option, the int. IDs of the files are inserted into the filenames to make the files better identifiable to X-Ways Forensics.

• Ability to define the maximum size of files for which thumbnails should be created in the gallery. It may be necessary to increase that limit for high resolution Photoshop PSD pictures, for example.

• Automatic verification of newly created images via hash is now applied to an optional 2nd image copy also when adding the 1st copy to the active case.

• Option to hide case backup files with the H attribute.

• Many minor improvements.

Changes of service releases of 20.4

• SR-1: The hash types for disk imaging and volume snapshot refinement can now be selected in the same dialog window, which requires two mouse clicks less and means that .dlg files of these dialog windows will cover the settings more completely.

• SR-1: Avoided a read error that could occur when OCRing files.

• SR-1: Prevents repeated output of hint on use of multiple .settings files.

• SR-2: If you get file creation error messages when running OCR with multiple threads, you can now try an unlabeled, but tooltipped checkbox next to the Tesseract OCR option to make X-Ways Forensics wait longer for Tesseract to finish.

• SR-2: Fixed a potential infinite loop that could occur with certain PDF documents when uncovering embedded data.

• SR-2: Now uses an embedded JPEG picture as the thumbnail of certain camera raw files in the case report.

• SR-2: When the case report is generated, the user now has the option to explore the directory where the report is stored instead of viewing the report directly.

• SR-2: The hint given in fresh installations that the RVS processing state of files in evidence file containers is taken over is now given repeatedly, until the user disables it. Previously it was probably often overlooked or ignored and/or not understood.

• SR-2: Chinese translation of the user interface updated.

• SR-3: Fixed an exception error that could occur in v20.4 with WofCompressed or possibly other kinds of pseudo-sparse files.

• SR-3: Prevented inability to load previously decoded text that was written incompletely because of a crash. Earlier versions of X-Ways Forensics cannot load decoded text stored by v20.4 SR-3 and later.

• SR-4: Faster viewing and previewing of large PSD pictures, using the internal graphics viewing library instead of the viewer component.

• SR-4: Fixed an error in the Tools | Compute Hash command that occurred when applied in File mode.

• SR-4: Attaching files in the case root window previously switched to a file listing that was shown as being not recursive. That was fixed.

• SR-5: Waits longer for closed evidence objects to open if targeted by RVS, to avoid the error message "Sorry, the following evidence object was skipped".

• SR-5: Fixed a cluster allocation display error of v20.4 SR-4.

• SR-5: Fixed an exception error that could occur in v20.4 under certain circumstances when generating the case report.

• SR-6: The mouse wheel now also works for scrolling in Windows 10 when the cursor hovers over a directory browser tooltip.

• SR-6: Fixed inability to remove certain context menu commands from the Windows shell via Options | General.

• SR-6: Support for a newer variant of Windows 10 thumbcache index files in file type verification and Details mode.

• SR-6: Fixed inability to extract certain tables from some SQLite database as TSV child objects.

• SR-6: Fixed a crash that could occur if the user inserted a trailing blank line at the end of "Event Log Events.txt".

• SR-6: Fixed inability of v20.4 to properly open ordinary sparse files in NTFS.

• SR-6: In OSDirList volume snapshots, directories were previously skipped if their names started with two dots. That was fixed.

• SR-6: Tooltips now also work in the dialog windows for simple text and hex searches.

• SR-6: Restoring old backups of cases did not always discard all newer components of volume snapshot that did not exist in the backup (e.g. events).

• SR-6: Replacing text or hex values in a file with data of different size did not always work in files larger than 2 GB. That was fixed.

Become a certified user of X-Ways Forensics
Become an X-PERT (X-Ways Professional in Evidence Recovery Techniques)

Prove your proficiency in computer forensics in general and X-Ways Forensics in particular with our certification program. After passing the challenging exam, you will be part of an exclusive circle and enjoy various benefits such as special recognition, training discounts, updated training material. For further details, please check here.

Thank you for your attention! We hope to see you soon somewhere at https://www.x-ways.net or on our Facebook page. You may also follow us on Twitter. Please forward this newsletter to anyone who you think will be interested. If you wish to subscribe with another e-mail address, please do so here.